[PATCH] add testcases for wildcards in subaltname

Ludwig Nussel ludwig.nussel at suse.de
Thu Oct 23 08:56:18 EDT 2008


Signed-off-by: Ludwig Nussel <ludwig.nussel at suse.de>

---
 test/makekeys.sh  |    5 ++++-
 test/openssl.conf |    4 ++++
 test/ssl.c        |   22 ++++++++++++++++++++++
 3 files changed, 30 insertions(+), 1 deletions(-)

diff --git a/test/makekeys.sh b/test/makekeys.sh
index 591cfdd..64ba053 100755
--- a/test/makekeys.sh
+++ b/test/makekeys.sh
@@ -112,6 +112,9 @@ ${REQ} -new -key ${srcdir}/server.key -out altname7.csr
 csr_fields "Bad ipAddress altname 3 Dept" nowhere.example.com | \
 ${REQ} -new -key ${srcdir}/server.key -out altname8.csr
 
+csr_fields "Wildcard Altname Dept 1" | \
+${REQ} -new -key ${srcdir}/server.key -out altname9.csr
+
 csr_fields "Bad Hostname Department" nohost.example.com | \
 ${REQ} -new -key ${srcdir}/server.key -out wrongcn.csr
 
@@ -189,7 +192,7 @@ ${CA} -startdate `asn1date "2 days ago"` -enddate `asn1date "yesterday"` -in exp
 
 ${CA} -startdate `asn1date "tomorrow"` -enddate `asn1date "2 days"` -in notyet.csr -out notyet.cert
 
-for n in 1 2 3 4 5 6 7 8; do
+for n in 1 2 3 4 5 6 7 8 9; do
  ${CA} -extensions altExt${n} -days 900 \
      -in altname${n}.csr -out altname${n}.cert
 done
diff --git a/test/openssl.conf b/test/openssl.conf
index 781f904..bdaffec 100644
--- a/test/openssl.conf
+++ b/test/openssl.conf
@@ -79,6 +79,10 @@ subjectAltName = URI:https://localhost:7777/
 [altExt8]
 subjectAltName = URI:http://nohost.example.com/
 
+# AltName with wildcard
+[altExt9]
+subjectAltName = DNS:*.example.com
+
 [reqDN]
 countryName = Country Name
 stateOrProvinceName = State or Province Name
diff --git a/test/ssl.c b/test/ssl.c
index a9c1e12..fd79c77 100644
--- a/test/ssl.c
+++ b/test/ssl.c
@@ -505,6 +505,20 @@ static int wildcard_match(void)
     return OK;
 }
 
+static int wildcard_match_altname(void)
+{
+    ne_session *sess;
+    struct ssl_server_args args = {"altname9.cert", 0};
+    
+    sess = ne_session_create("https", "anything.example.com", 443);
+    ne_session_proxy(sess, "localhost", 7777);
+
+    CALL(any_ssl_request(sess, tunnel_server, &args, CA_CERT, NULL, NULL));
+    ne_session_destroy(sess);
+    
+    return OK;
+}
+
 /* Check that hostname comparisons are not cases-sensitive. */
 static int caseless_match(void)
 {
@@ -856,6 +870,12 @@ static int fail_ca_notyetvalid(void)
                             "isser ca not yet valid", NE_SSL_NOTYETVALID);
 }
 
+static int fail_wildcard(void)
+{
+    return fail_ssl_request("altname9.cert", CA_CERT, "localhost",
+                            "subjaltname not honored", NE_SSL_IDMISMATCH);
+}
+
 /* Test that the SSL session is cached across connections. */
 static int session_cache(void)
 {
@@ -1707,6 +1727,7 @@ ne_test tests[] = {
     T(no_verify),
     T(cache_verify),
     T(wildcard_match),
+    T(wildcard_match_altname),
     T(caseless_match),
 
     T(subject_altname),
@@ -1730,6 +1751,7 @@ ne_test tests[] = {
     T(fail_bad_urialtname),
     T(fail_ca_expired),
     T(fail_ca_notyetvalid),
+    T(fail_wildcard),
 
     T(session_cache),
 	
-- 
1.5.6





More information about the neon mailing list